This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

LDAP with TLS authentication issues

Jul 18th, 2013, 08:22 PM

I've recently had to add TLS to an existing implementation of ldap authentication. I checked out the documentation and it seemed pretty straight forward - just add a DefaultTlsDirContextAuthenticationStrategy into the existing DefaultSpringSecurityContextSource. This particular implementation just requires authentication, not authorisation, so uses simple bind authentication. It is also low volume so connection pooling is not required, so disabled connection pooling and set shutdownTlsGracefully to true.
Testing against OpenLDAP I found there were 2 issues with this:
1) The TLS interaction was being initiated with the server, but the user was not being authenticated - the bind did not appear to be happening. The logs from slapd for the non-TLS and TLS tests were:
Non-TLS
conn=32 fd=14 ACCEPT from IP=10.4.4.168:62012 (IP=0.0.0.0:389)
conn=32 op=0 BIND dn="uid=joe,ou=People,dc=blah,dc=com" method=128
conn=32 op=0 BIND dn="uid=joe,ou=People,dc=blah,dc=com" mech=SIMPLE ssf=0
conn=32 op=0 RESULT tag=97 err=0 text=
conn=32 op=1 UNBIND
conn=32 fd=14 closed
TLS:
conn=33 fd=14 ACCEPT from IP=10.4.4.168:62016 (IP=0.0.0.0:389)
conn=33 op=0 STARTTLS
conn=33 op=0 RESULT oid= err=0 text=
conn=33 fd=14 TLS established tls_ssf=128 ssf=128
conn=33 fd=14 closed (connection lost)

When I retried the user login with an incorrect password I got exactly the same behaviour and the user was authenticated when they should not have been.

It appears that SimpleDirContextAuthenticationStrategy and DefaultTlsDirContextAuthenticationStrategy are not symmetrical in their behaviour. I resolved this be creating a custom TlsDirContextAuthenticationStrategy and adding a ctx.reconnect() to the applyAuthentication(), after the environment settings for a simple bind have been set, as follows:
private void applyAuthentication(LdapContext ctx, String userDn, String password) throws NamingException {
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATI ON, SIMPLE_AUTHENTICATION);
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, userDn);
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
// Force reconnect with user credentials
ctx.reconnect(null)
}

2) In my initial testing I had an issue with the TLS connection not being closed correctly. When I checked out the source AbstractTlsDirContextAuthenticationStrategy.proces sContextAfterCreation() creates a context proxy instance if shutdownTlsGracefully is true. This context is returned by the method to AbstractContextSource, but it is discarded at that point, as follows:

try {
authenticationStrategy.processContextAfterCreation (ctx, principal, credentials);
return ctx;
// Should be
return authenticationStrategy.processContextAfterCreation (ctx, principal, credentials);
// So that the returned DirContext is the proxy the wraps TlsResponse.
}
catch (NamingException e) {
closeContext(ctx);
throw LdapUtils.convertLdapException(e);
}
}
I have seen a few issues relating to problems executing multiple StartTLS operation calls to an LDAP server - this may be the cause.

This applies to spring-ldap 1.3.1-RELEASE and spring-security-ldap 3.0.7-RELEASE (but seems the same in latest 3.1.4-RELEASE)